Puppet Class: cis_security_hardening::rules::ptrace_scope

Defined in:
manifests/rules/ptrace_scope.pp

Overview

@summary#

Ensure the operating system restricts usage of ptrace to descendant processes

The operating system must restrict usage of ptrace to descendant processes.

Rationale: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Examples:

class { 'cis_security_hardening::rules::ptrace_scope':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'manifests/rules/ptrace_scope.pp', line 20

class cis_security_hardening::rules::ptrace_scope (
  Boolean $enforce = false,
) {
  if $enforce {
    sysctl {
      'kernel.yama.ptrace_scope':
        ensure    => present,
        permanent => 'yes',
        value     => '1',
        notify    => Exec['reload-sysctl-system'],
    }
  }
}